Re: Full system encryption with support for hibernation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Karol Babioch schrieb:

Hi,

I've recently set up full encryption of my system (including swap), but
therefore lost the possibility to suspend my device to disk (hibernate).

The only way mentioned in the wiki is highly not recommended as you
would have to place your key on the unencrypted boot partition, which
basically conflicts the idea of full encryption (see
http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Encrypted_swap_with_suspend-to-disk_support).

By looking for some solution, the only thing I could figure out was to
set up lvm, and encrypting the whole lvm partition, which would include
the swap. This way all of my stuff would get unlocked, including the
swap and therefore my system could resume from a former hibernation.

Before setting this up (which will cost some time, as I have to back up,
configure and restore my stuff) I wanted to ask you, whether this will
work as supposed, and if there may be any better solutions?

How do you get both hibernation and full encryption working together?


It is possible. Consider the following setup:
You have two partitions, one small (50MB) /boot /dev/sda1, the rest /dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then, create your root, swap, home, ... filesystems as logical volumes inside the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That way, you just need to enter ONE passphrase to be able to access all your volumes, including swap and root.
The installer (AIF) can set all the above up correctly, however, the current version will make the wrong grub line. In the described setup, it should be: 

cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro

Your mkinitcpio.conf should have the following line:

HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems"
(note that lvm2 is before resume, not after)
This setup will make it possible to use hibernation on an encrypted system without a separate key storage and without having to enter more than one passphrase. It is also a very elegant setup, as you have the usual advantages of LVM. 

Have fun!

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux